Been playing your game since inception and before that Puzzle Quest for Nintendo and PC.

One thing I hope you guys can please do is have this game playable without internet. Perhaps every other feature besides PVP and Arena can still be played offline and when we go online it will update our account info.

I don’t know if it is possible but the only reason I am not playing more of it is because of that. Just saying ^^

That would probably be too easy to exploit. The client could be hacked to say, “Sure, I played 200 games over a reasonable interval,” and there’s no way the server would be able to tell. As well, the server makes all loot determinations (including traitstones) and moving that client-side could compromise the integrity of their system.

I would love some offline-only play, but it’d come with some hard problems to solve.

Cheating could be a problem, but solvable using the right encryption techniques. This isn’t the type of stuff your normal programmer could do easily and I don’t know if free libraries exist for this. Paid licensed ones do.
I haven’t followed this type of stuff in a while but am aware of the problems and solutions, just not on the implementation level.
Hmmm, double handshake encryption with new keys every time you do connect to the server. Possibly not hard to do but a lot of work.

Actually… I don’t think this is solvable in theory, unless you have some way of ensuring that you can trust the client. It can probably be made difficult enough to discourage most people, but if you hand someone the code and the keys necessary to perform the encryption, and let them run it on their own hardware, then they can reverse engineer it and create code that returns the correct responses. That’s what “trusted computing” is supposed to solve, by storing the private key and performing certain operations only on the chip. Consoles typically use a similar mechanism, but in both cases, it all depends on keeping the key secure. If someone does manage to extract the key, then they can create responses indistinguishable from that produced by the original code.

Obfuscation can make it more difficult for a human to analyze the code, or the program running in memory, but it can’t prevent it. If your device can run the program, then you’ve got everything you need to duplicate its output.

id like to see offline feature even if it takes more space, maybe as an alternative (bigger) app to download

but yeah the problems for devs you talking about are even worse then mentioned due to crossplatform character of the game - they would have to make the whole thing for every platform over again which is… a nightmare.

so if i had a choice for requesting a nightmare programming from devs i think i would put the live pvp up front.
still like the offline idea

the size of the App is important to me as well. And it’s bound to triple in size (or worse) with significant features

I don’t think it will get that much bigger. Compiled code and textual data are surprisingly small, so most of the storage size it takes on your device is for the graphics and sounds (mostly graphics actually). Even if the codebase is tripled in size, the effect it will have on the app size will not be very noticeable.

No, @Spherix is correct. This is essentially the “DRM problem,” insofar as the client-side protected data is only as secure as the key material, and it doesn’t matter what algorithms are used for encryption. You can make things hard (by obfuscating the key material) but never intractable.

The data stored locally on the client needs to be protected from tampering while offline. Since that needs to function entirely without access to the server, you’re relying on client-sourced secrets to modify the protected data. That path is vulnerable, as the private key is stored on the client.

Because a private key stored on a client is always vulnerable. A stored public key is fine so long as you are only interested in protecting against man-in-the-middle and don’t care if the machine user can decrypt at will; a stored private key, if found, enables spoofing and tampering in addition to data access. Your security becomes as good as your ability to hide the private key, which becomes an exercise in obfuscation. Finding the key is typically much easier than brute-forcing it.